Search form

In May 2018, Vistra acquired Radius, making it the number one international expansion services provider in the US. Vistra International Expansion now has more than 1,300 experts working in more than 40 jurisdictions to help you explore new markets and reduce the risk and complexity of global operations. Visit our new website.

United States: New York Cybersecurity Updates

11/6/2018

Share

Effective September 4, 2018, cybersecurity rules require covered entities regulated by the New York State Department of Financial Services (NYDFS) to encrypt confidential data when transferring externally and to implement policies and procedures to protect and monitor the use of this data. Covered Entities must comply with the following provisions:

Securely maintain systems that are sufficient to support business operations and maintain records for at least five years, including audit trails that detect and respond to cybersecurity events that may harm any material part of normal operations and maintain records for at least three years.

Develop policies and procedures to protect data, including those of a risk-based nature, ensuring that security is reviewed and tested periodically (and updated as necessary) by the chief information security officer or a qualified person.

Implement policies and procedures for the secure disposal of any confidential data that is no longer required for business operations (information to be retained by law or where disposable is not reasonably feasible is exempt).

Encrypt confidential data.

Some covered entities are exempt from the above requirements. Employers should consider if the rules apply and if so should consider the impact of the changes. If changes apply and are not adhered to, penalities may apply.

The following additional changes are expected:

November 1, 2018: Every consumer credit reporting agency deemed to be a covered entity must comply with the NYDFS’ cybersecurity requirements.

February 15, 2019: Covered entities must submit a certification of compliance with NYDFS in addition to previous requirements.

March 1, 2019: Covered entities that use third-party service providers must adopt written policies and procedures that are based on a risk assessment and designed to ensure the security of information systems and confidential data accessible to third parties.

February 15, 2020: Covered Entities must submit a certification of compliance with the third party.

These new requirements will likely affect many elements of a covered entity’s operations. The regulations will also likely indirectly affect many service providers that process nonpublic information for covered entities, since covered entities will need to revise their service-provider requirements to comply.

All types

The General Data Protection Regulation (GDPR), expected to pass in the European Parliament within the week and take effect in 2017, will enforce opt-in requirements for data collection and a “right to be forgotten” that gives consumers total transparency and control over how their personal data is used.

In order to create a unified data protection code across the European Union, the Data Protection Reform agreed upon yesterday will take the form of an EU Regulation, called in this case the General Data Protection Regulation (GDPR). In contrast to the soon-to-be superseded Directive 95/46/EC, the GDPR will be directly applicable across all EU member states, each of which must apply the same rules. Let’s take a look at what this all means for businesses operating in the EU.

Two years ago, Australia was poised to introduce a requirement for data controllers to alert the local regulator of a personal data breach, but it didn’t make it into law. Australia has recently announced that mandatory data breach notification is again on the agenda.